No right to pubish vulnerabilities?

| Comments (2) | SYSSEC
Declan McCullagh reports on the MBTA's claim that the MIT researchers have no first amendment right to publish their research:
First Amendment protection does not extend to speech that advocates a violation of law, where the advocacy "is directed to inciting or producing imminent lawless action and is likely to incite or produce such action." The Individual Defendants' conduct falls squarely within this well established zone of no protection.

First, unless restrained, the Individual Defendants would have given their Presentation, and related materials (which have not yet been made available) to one of the world's largest hacker conferences. Advocacy in favor of illegal behavior, in this context, is likely to incite or produce illegal behavior. Second, the Presentation, and likely the related code and materials, unequivocally constitute advocacy in favor of a violation of law.... the Individual Defendants are vigorously and energetically advocating illegal activity, and this advocacy, in the context of the DEFCON Conference, is both directed to inciting or producing imminent lawless action, and likely to produce such action. Therefore, the Individual Defendants enjoy no protections under the First Amendment.

I've reviewed the MIT group's slides, and while they do involve a certain level of hype, the general tone isn't that out of place in the security community. It didn't strike me as "advocacy in favor of illegal behavior". Rather, it simply described a set of vulnerabilities, some description of how they could be exploited, and the impact of exploitation. Obviously, this sort of disclosure could result in some illegal behavior, but that's a potential result of any paper describing vulnerabilities. Unless I'm missing something, the rule the MBTA is proposing would effectively allow the banning of publication of any security vulnerabilities. Incidentally, the bit about the "context of the DEFCON conference" is odd. Perhaps the MBTA would be so good as to provide a list of venues at which it's ok to publish your results. Full Disclosure? W00T? USENIX Security? The New York Times?

The Individual Defendants' DEFCON presentation constitutes commercial speech. Commercial speech is any "speech that proposes a commercial transaction." Here, the Presentation is full of marketing, and self-promotional statements. It is not a research paper. As commercial speech advertising illegal activity, it receives no First Amendment protection.

What a bizarre statement. Leaving aside the question of whether self-promotion is sufficient to make something commercial speech (I'm not a lawyer but my understanding is that it isn't), when was the last time you saw an research paper that wasn't full of marketing and self-promotional statements?


The MBTA website at too is full of marketing and self-promotional statements. Does the MBTA have a First Amendment right to publish that website?

This whole mess reminds me of the ongoing digital music and DRM fiasco. These companies and organizations have a point and deserve some level of protection, but their idea of what that protection should look like is both selfish and ignorant. These problems aren't an attack against them, they are the growing pains which result from the way digital computing is shifting the foundations of society and commerce. Also, they need to realize that they can't solve problems by shutting up the people who tell them about their problems - that actually makes their problems worse. (unless they control the press ...)

On that note, their statement that the first amendment doesn't protect speech which advocates the violation of the law surprises me. I'm not a lawyer either, but that sounds too general. This interpretation of the first amendment would make it illegal to advocate civil disobedience. That doesn't sound correct.

Leave a comment